ScreenShot
| Created | 2025.01.17 17:22 | Machine | s1_win7_x6401 |
| Filename | beacon.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 58 detected (AIDetectMalware, CobaltStrike, Malicious, score, Ghanarava, Artemis, Tedy, Unsafe, confidence, 100%, Doina, Cobalt, Windows, Artifact, CLASSIC, EPACK, Gen2, COBEACON, Static AI, Malicious PE, erap, Detected, Kryptik, Malware@#312u84w54ntpz, Eldorado, R626175, GdSda, GenKryptik, FWMV) | ||
| md5 | 9f2637a15688e9099c502c6ffbe0acc5 | ||
| sha256 | 2adf9dcc9ddc2d10cec9a26a52233e77f075426413fe2ecf914aba67eea58bdf | ||
| ssdeep | 768:KyqzpG/6kR8uKFNmzrGp6zATK1EhreIRVmwXghtW240qqAg:686kGuKqHGp6MTKmhreIR+tN7 | ||
| imphash | e4b40ab6ac5308d4cbd835973d06cd63 | ||
| impfuzzy | 24:Q2kfjlDQn+kMLjlMblRf5XG6qXZykomvlxcqAZy:gfC+k8jlslJJG6qJyk1vkqZ | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 58 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Sends data using the HTTP POST Method |
| info | Checks amount of memory in system |
| info | Queries for the computername |
Rules (3cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (3cnts) ?
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x14008a21c CloseHandle
0x14008a224 ConnectNamedPipe
0x14008a22c CreateFileA
0x14008a234 CreateNamedPipeA
0x14008a23c CreateThread
0x14008a244 DeleteCriticalSection
0x14008a24c EnterCriticalSection
0x14008a254 GetLastError
0x14008a25c GetModuleHandleA
0x14008a264 GetProcAddress
0x14008a26c GetStartupInfoA
0x14008a274 GetTickCount
0x14008a27c InitializeCriticalSection
0x14008a284 IsDBCSLeadByteEx
0x14008a28c LeaveCriticalSection
0x14008a294 MultiByteToWideChar
0x14008a29c ReadFile
0x14008a2a4 SetUnhandledExceptionFilter
0x14008a2ac Sleep
0x14008a2b4 TlsGetValue
0x14008a2bc VirtualAlloc
0x14008a2c4 VirtualProtect
0x14008a2cc VirtualQuery
0x14008a2d4 WideCharToMultiByte
0x14008a2dc WriteFile
msvcrt.dll
0x14008a2ec __C_specific_handler
0x14008a2f4 ___lc_codepage_func
0x14008a2fc ___mb_cur_max_func
0x14008a304 __getmainargs
0x14008a30c __initenv
0x14008a314 __iob_func
0x14008a31c __set_app_type
0x14008a324 __setusermatherr
0x14008a32c _acmdln
0x14008a334 _amsg_exit
0x14008a33c _cexit
0x14008a344 _commode
0x14008a34c _errno
0x14008a354 _fmode
0x14008a35c _initterm
0x14008a364 _onexit
0x14008a36c abort
0x14008a374 calloc
0x14008a37c exit
0x14008a384 fprintf
0x14008a38c fputc
0x14008a394 free
0x14008a39c fwrite
0x14008a3a4 localeconv
0x14008a3ac malloc
0x14008a3b4 memcpy
0x14008a3bc memset
0x14008a3c4 signal
0x14008a3cc strerror
0x14008a3d4 strlen
0x14008a3dc strncmp
0x14008a3e4 vfprintf
0x14008a3ec wcslen
EAT(Export Address Table) is none
KERNEL32.dll
0x14008a21c CloseHandle
0x14008a224 ConnectNamedPipe
0x14008a22c CreateFileA
0x14008a234 CreateNamedPipeA
0x14008a23c CreateThread
0x14008a244 DeleteCriticalSection
0x14008a24c EnterCriticalSection
0x14008a254 GetLastError
0x14008a25c GetModuleHandleA
0x14008a264 GetProcAddress
0x14008a26c GetStartupInfoA
0x14008a274 GetTickCount
0x14008a27c InitializeCriticalSection
0x14008a284 IsDBCSLeadByteEx
0x14008a28c LeaveCriticalSection
0x14008a294 MultiByteToWideChar
0x14008a29c ReadFile
0x14008a2a4 SetUnhandledExceptionFilter
0x14008a2ac Sleep
0x14008a2b4 TlsGetValue
0x14008a2bc VirtualAlloc
0x14008a2c4 VirtualProtect
0x14008a2cc VirtualQuery
0x14008a2d4 WideCharToMultiByte
0x14008a2dc WriteFile
msvcrt.dll
0x14008a2ec __C_specific_handler
0x14008a2f4 ___lc_codepage_func
0x14008a2fc ___mb_cur_max_func
0x14008a304 __getmainargs
0x14008a30c __initenv
0x14008a314 __iob_func
0x14008a31c __set_app_type
0x14008a324 __setusermatherr
0x14008a32c _acmdln
0x14008a334 _amsg_exit
0x14008a33c _cexit
0x14008a344 _commode
0x14008a34c _errno
0x14008a354 _fmode
0x14008a35c _initterm
0x14008a364 _onexit
0x14008a36c abort
0x14008a374 calloc
0x14008a37c exit
0x14008a384 fprintf
0x14008a38c fputc
0x14008a394 free
0x14008a39c fwrite
0x14008a3a4 localeconv
0x14008a3ac malloc
0x14008a3b4 memcpy
0x14008a3bc memset
0x14008a3c4 signal
0x14008a3cc strerror
0x14008a3d4 strlen
0x14008a3dc strncmp
0x14008a3e4 vfprintf
0x14008a3ec wcslen
EAT(Export Address Table) is none